Composer Logo

Using composer to manage web projects

Composer is a package management tool for PHP. Helping you declare and manage your projects library dependencies.

What is Composer?

Unlike Operating systems such as Linux and MacOsx, composer is NOT a package manager such as systems like YUM, APTITUDE, APT or HomeBrew.  But more of a project by project basis dependency manager, since everything is installed within the ./vendor directory and not a global scale.

Composer however does have a global dependency section though, this is more to assist with the project dependencies.

So if you have a project whether that be a framework or a custom PHP application. Whilst either of these can have requirements you can tell composer to require these libraries within. Whilst have it manage there dependencies as well as the projects dependencies.

Using the tool.

Initializing  a project

Lets assume you are starting a brand new PHP project, and your going to use some libraries that already exist.  First and  foremost we need to take the base project and convert it to a composer project.

To do this we simply create a directory via our terminal and move into our new directory.

In order to create a new project we run the below command:

composer init

Composer init.You will then be asked a set of question to fill in. Like  the sceen shot to the left:

This will create you an initial composer.json file. The composer.json file is used to contain all the information about your project and its dependencies. There names, custom repositories, project name even down to stability and author information.

If you open your composer.json you will see something like below. The other way to create an initial composer.json is manually using the below information.

    "name": "new-project/test",
    "description": "This is a test project",
    "type": "project",
    "authors": [
            "name": "Daniel Coull",
            "email": ""
    "minimum-stability": "dev",
    "require": {}

Requiring Libraries

Now normally if you dont wish to init and use all information, the first thing to do would be require libraries. You can do this two ways manually or using the cli.

If you did composer init like above, you will see a require:{} section. Within this section we can add our package  / Library, in this case we will use the psr/log library used for creating logs.

    "require": {
        "psr/log": "*"

The above says to require a package psr/log with a version constraint. In this case * which will use the most up to date, you would normally however specify a version number.

The second way would be to use the CLI require key.

composer require psr/log:*

But suppose we only want this package for development purposes not for the production. We can add another section to our json file “require-dev” in the same way as the require. Or we can use the --dev flag in combination with the require key.

composer require --dev psr/log:*

Installing packages

If composer has not yet been installed there will be no composer.lock file just composer.json. The composer.lock is a compilation of all dependencies and there installed versions. Having a composer.lock suggests somebody has already run the install key.

Without the composer.lock composer will simply resolve all dependencies for all libraries requested for install.

To install we simply run the below command.

composer install

Although our json may have another require section for dev under require-dev. If we don’t wish to install these packages we can use the --no-dev flag with the install key. But if we do wish to install the development libraries we need to use the --dev flag to do so.

Once installed a composer.lock will be generated.

A tip after the first install and once the composer.lock is generated its a good idea to commit the composer.lock to your git repository. This means that everyone working on the project is fixed to the same version.

If you run the install key with the composer.lock present composer will resolve all dependencies from composer.json. But instead of downloading the latest version it will only download the version specified in the lock file. This entrusts that the project wont break when others are working on it.

Updated packages

Now assume that we are using a specific version for our libraries but the version has changed and our project requires the latest version. We can simply change the version in our composer.json or rerun the require key with the new version. But then rerunning the composer install  key will do nothing as the version would be locked in the composer.lock.

So instead of install key we need to use the update key again we can use the --dev and --no-dev flags to make sure we update the correct parts.

composer update --dev

This will in turn update our composer.lock with the new updated version to be committed back to the git repository for others to update also.

Dependency life cycle  and repositories

Composer Lifecycle

So how does composer actually work. So first off composer looks for each of your dependencies within  if the dependency name can not be found composer then moves on to the repository key within the composer.json.

Once all the dependencies have been resolved it continues to download and install each dependency into the vendor directory, under vendor-name/library-name.  And if no errors occur like not being able to resolve a dependency, the composer.lock is either written or updated.

Lets say composer cant find your package on, and that the library resides locally or on git. We can use the config repositories key to add the repository to composer.json to resolve the dependency.

composer config repositories.repo-name vcs

What we did is used the config repositories followed by a name repositories.repo-name then we have told it the type of repo this could be vcs or if its local we could use path and finally we have set the destination. Now you can use the require key again followed by the update key to install the package that was not found.

Create project and Removing dependencies

Lets say your installing a project, you can do like above adding each dependency but lets say its a framework. This framework may already have a composer.json stored remotely to install. We can use the create-project key to create the project. Lets assume its Magento 2, you can see how do to this here.  We can use the create-project key like below.

 composer create-project --repository= magento/project-community-edition directory-to-install

The --repository flag tells composer where to find the composer.json. The magento/project-community-edition tells composer the name of the composer.json to resolve at the repository url. Finally we tell composer the directory to install the project.

But from time to time out framework may install something we just don’t need, and we wish to remove it.

Composer to the rescue again inside our composer.json after require we can use the replace key.

   "replace": {
     "vendor/module-to-remove": "*"

If we now run composer update the module will be removed from our vendor directory after install.

Cretaing a library

Lets speculate that your creating a library yourself to share 9 out of 10 times, that library will need to tell other frameworks where to find certain php namespaces.

Composer again helps us define this, to let other frameworks where to find the files.  In composer.json we can an autoload key, in there we can define the PSR type, such as PSR-0 or PSR-4 depending on the standard your working with.

And under there we can point to our files.

    "autoload": {
        "psr-0": {
            "BoxLeafDigital":        "src/",
            "BoxLeafDigital\\Tests": "tests/",


So to conclude you should now have a basic understanding of different aspects of Composer, how to manage composer and how to conduct the basics of Composer. Composer can do allot its just understanding exactly what your project needs it to do. For further information look at the in depth documentation at

If you can think of anything else you want to know don’t hesitate to drop me an email and il try and update.

Send us a Skype message


Call boxleaf Digital